Prosecution Insights
Last updated: July 17, 2026
Application No. 19/058,593

CYBER SECURITY SYSTEM FOR EMAIL MESSAGE PROTECTION

Non-Final OA §102§103
Filed
Feb 20, 2025
Priority
Feb 20, 2024 — provisional 63/555,823
Examiner
BAZNA, JUDY
Art Unit
Tech Center
Assignee
Darktrace Holdings Limited
OA Round
1 (Non-Final)
67%
Grant Probability
Favorable
1-2
OA Rounds
1y 8m
Est. Remaining
92%
With Interview

Examiner Intelligence

Grants 67% — above average
67%
Career Allowance Rate
18 granted / 27 resolved
+6.7% vs TC avg
Strong +26% interview lift
Without
With
+25.6%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
9 currently pending
Career history
46
Total Applications
across all art units

Statute-Specific Performance

§103
96.6%
+56.6% vs TC avg
§102
0.8%
-39.2% vs TC avg
§112
0.8%
-39.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 27 resolved cases

Office Action

§102 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1, 3-5 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Pickman (US 20200396190 A1) Regarding claim 1, Pickman teaches a cyber security appliance for data loss protection caused by an email message transmitted from or within an enterprise, comprising: a communication module including one or more input/output (1/O) ports (Para [0008]. FIG. 2: a secure communications module in the endpoint agent extension configured to securely communicate with one or more modules in a cyber security appliance of the cyber defense system located in a network connected to the endpoint computing device in order to receive contextual information outside an email domain about the outbound email under analysis, as well as take instructions or receive additional information from an autonomous response module of the cyber security appliance regarding what autonomous action to take against the outbound email to mitigate a threat posed by the outbound email and its attachments and/or links.); an email protection module communicatively coupled to the communication module (Para [0008]. FIG. 2: a secure communications module in the endpoint agent extension configured to securely communicate with one or more modules in a cyber security appliance of the cyber defense system 660.), the email protection module comprises email threat detection logic to analyze content associated with the email message received via the one or more I/O ports for potential data loss characteristics (Para [0026]. FIG. 1. claim 4: the attachment analyzer of the endpoint agent extension 100 scans any files i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file, including a type of file, a size of the file, etc., via investigation of the file structure. Where the contextual information about attached files to the email under analysis to determine whether the outbound email under analysis and its attachments and/or links either i) are unusual or ii) are not unusual in context of a current user's behavior under analysis, to prevent incidents of data loss as well as wrongly addressed recipients.); an autonomous response module communicatively coupled to the email protection module, the autonomous response module is configured to cause a first set of autonomous actions directed to data loss prevention (Para [0030]. Para [0046]. Para [0070]. FIG. 2. Fig. 3: an autonomous response module of the cyber security appliance regarding what autonomous action to take against the outbound email to mitigate a threat posed by the outbound email and its attachments and/or links. The autonomous response module and/or action module can be used, rather than a human taking an action, to cause one or more autonomous rapid actions to be taken to contain the cyber-threat for the outbound email under analysis when a threat risk parameter from a cyber-threat module is equal to or above an actionable threshold. The autonomous response module can be configured to direct the action module to perform these actions. The endpoint agent extension 100 extends the autonomous actions that the email module in cooperation with the autonomous response module can perform to also encompass various actions on outbound emails about to be sent; and therefore, for example, prevent data-loss, enforce compliance policies and procedures, etc.); and where instructions implemented in software for the communication module, the email protection module, and the autonomous response module are configured to be stored in one or more non-transitory storage mediums to be executed by one or more processing units (Claim 3: any modules including the autonomous response module are implemented in software, then their instructions are stored in one or more non-transitory machine readable storage mediums in a format when executed by the endpoint computing device.). Regarding claim 3, Pickman teaches the cyber security appliance of claim 1, wherein the email threat detection logic of the email protection module is configured to analyze the content associated with the email message by at least analyzing (i) specific content uncovered from an analysis of the email message providing context surrounding the email message (Para [0011]. Para [0048]. FIG. 5: an email module and/or cyber threat module factoring in many other example factors in order to compare the email, based on multiple aspects of the email, in order to determine a threat posed. endpoint agent extension 100 plugs-in to the email client application to allow scanning email attachments for content, with similar tools that detect known bad malware, but also makes judgments on whether an attached file or linked file, is otherwise normally benign, but now is malicious in context.) and (ii) results obtained from comparison of the email message to normal or expected enterprise- based communications (Claim 1: a cyber threat module determines the outbound email including its attached files and/or linked files to be both malicious and anomalous behavior as compared to a user's modeled email behavior.). Regarding claim 4, Pickman teaches the cyber security appliance of claim 3, wherein the analyzing of the specific content is conducted by a first analysis source corresponding to a first artificial intelligence based (Al-based) logic and the results obtained from the comparison of the email message to the normal or expected enterprise-based communications is conducted by a second analysis source corresponding to a second Al-based logic different than the first Al-based logic (Fig. 6. Para [0036]. Para [0079]. Para [0083]. Para [0112]: In an embodiment, the cyber threat module of the endpoint agent extension performs machine learning analysis, with one or more machine learning models on all inbound and outbound mail flow for an organization to develop an awareness of the pattern-of-life for each individual user, the organization as a whole, and clustered groups of users the machine learning identifies as being closely associated. In an embodiment, i) the endpoint agent extension can host the AI models, ii) the cyber security appliance 660 can host the AI models, and/or iii) a portion of both the endpoint agent extension and the cyber security appliance 660 may each share some portion of the AI models to perform the machine learning analysis. The cyber security appliance 660 may include components such as one or more machine learning models including a first Artificial Intelligence model trained on characteristics of an email itself and its related data, a second Artificial Intelligence model trained on potential cyber threats. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Regarding claim 5, Pickman teaches the cyber security appliance of claim 4, wherein the specific content uncovered from the analysis of the email message includes a message type of the email message identifying the email message as an outbound email message or a lateral email message or a size of the email message and the results obtain from the comparison are based on operations conducted by artificial intelligence (AI) based logic (Para [0026]: the attachment analyzer of the endpoint agent extension 100 scans any files i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file, including a type of file, a size of the file, etc., via investigation of the file structure, a meta data analysis tool, and machine learning analysis as well as perform other analysis to gather information about a given file itself and the content in the file.). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 2, 8-11, 14, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of Pettigrew (US 20060112166 A1). Regarding claim 2, Pickman teaches the cyber security appliance of claim 1, wherein the email threat detection logic of the email protection module (Perform an action) (Pickman Para [0026]. FIG. 1. claim 4: the attachment analyzer of the endpoint agent extension 100 scans any files i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file, including a type of file, a size of the file, etc., via investigation of the file structure. Where the contextual information about attached files to the email under analysis to determine whether the outbound email under analysis and its attachments and/or links either i) are unusual or ii) are not unusual in context of a current user's behavior under analysis, to prevent incidents of data loss as well as wrongly addressed recipients.). Pickman does not explicitly disclose the module further comprises high availability fail-open control logic configured to (i) detect operational failure of the email protection module or intake disruption via an Application Programming Interface (API) providing access to the email module and (ii) redirect email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages upon detecting the operational failure or the intake disruption. Pettigrew teaches the module further comprises high availability fail-open control logic configured to (i) detect operational failure of the email protection module or intake disruption via an Application Programming Interface (API) providing access to the email module (Claim 1: a deferral monitor that detects failure of the client email system; and a mailbox creation process that, in response to a failure.) and (ii) redirect email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages upon detecting the operational failure or the intake disruption (Para [0022]. Para [0024]: in response to email system failure, the message is passed to storage facility 400. The storage facility 400 stores mail in user mailboxes that mimic the affected client domains. Once the client email system is restored, a transfer process is activated that passes the stored email messages from the storage facility 400 to the respective mailboxes on the client system. once the client email system is repaired, a correct and complete image of the client's email system can be restored.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman of analyzing emails for potential data loss with the teachings of Pettigrew to include the module further comprises high availability fail-open control logic configured to (i) detect operational failure of the email protection module or intake disruption via an Application Programming Interface (API) providing access to the email module and (ii) redirect email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages upon detecting the operational failure or the intake disruption in order to safely hold the messages until the system repaired. Regarding claim 8, Pickman teaches implemented within a cyber security appliance, a non-transitory storage medium configured to store instructions in a format that, when executed by one or more processors, conducts data loss prevention evaluation of an email message to protect against exfiltration of sensitive data from an enterprise (Para [0070]), the non-transitory storage medium comprising: an email protection module including email threat detection logic to analyze content associated with the email message for potential data loss characteristics (Para [0026]. FIG. 1. claim 4: the attachment analyzer of the endpoint agent extension 100 scans any files i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file, including a type of file, a size of the file, etc., via investigation of the file structure. Where the contextual information about attached files to the email under analysis to determine whether the outbound email under analysis and its attachments and/or links either i) are unusual or ii) are not unusual in context of a current user's behavior under analysis, to prevent incidents of data loss as well as wrongly addressed recipients.). Pickman does not explicitly disclose high availability fail-open control logic configured to (i) detect operational failure of the email module or intake disruption of email messages via an Application Programming Interface (API) providing access to the email module and (ii) redirect the email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages upon detecting the operational failure or the intake disruption. Pettigrew teaches high availability fail-open control logic configured to (i) detect operational failure of the email module or intake disruption of email messages via an Application Programming Interface (API) providing access to the email module (Claim 1. Para [0022]. Para [0024]: a deferral monitor that detects failure of the client email system; and a mailbox creation process that, in response to a failure. in response to email system failure, the message is passed to storage facility 400.) and (ii) redirect the email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages upon detecting the operational failure or the intake disruption (Claim 1. Para [0022]. Para [0024]: a deferral monitor that detects failure of the client email system; and a mailbox creation process that, in response to a failure. in response to email system failure, the message is passed to storage facility 400. The storage facility 400 stores mail in user mailboxes that mimic the affected client domains. Once the client email system is restored, a transfer process is activated that passes the stored email messages from the storage facility 400 to the respective mailboxes on the client system. once the client email system is repaired, a correct and complete image of the client's email system can be restored.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman of analyzing emails for potential data loss with the teachings of Pettigrew to include high availability fail-open control logic configured to (i) detect operational failure of the email module or intake disruption of email messages via an Application Programming Interface (API) providing access to the email module and (ii) redirect the email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages upon detecting the operational failure or the intake disruption in order to safely hold the messages until the system repaired. Regarding claim 9, Pickman in view of Pettigrew teaches the non-transitory storage medium of claim 8, wherein the email threat detection logic of the email protection module is configured to analyze the content associated with the email message by at least analyzing (i) specific content uncovered from an analysis of the email message providing context surrounding the email message (Pickman Para [0011]. Para [0048]. FIG. 5: an email module and/or cyber threat module factoring in many other example factors in order to compare the email, based on multiple aspects of the email, in order to determine a threat posed. endpoint agent extension 100 plugs-in to the email client application to allow scanning email attachments for content, with similar tools that detect known bad malware, but also makes judgments on whether an attached file or linked file, is otherwise normally benign, but now is malicious in context.) and (ii) results obtained from comparison of the email message to normal or expected enterprise- based communications (Pickman Claim 1: a cyber threat module determines the outbound email including its attached files and/or linked files to be both malicious and anomalous behavior as compared to a user's modeled email behavior.). Regarding claim 10, Pickman in view of Pettigrew teaches the non-transitory storage medium of claim 9, wherein the analyzing of the specific content is conducted by a first analysis source corresponding to a first artificial intelligence based (Al-based) logic and the analyzing of the results obtained from the comparison of the email message to the normal or expected enterprise-based communications is conducted by a second analysis source corresponding to a second Al-based logic different than the first Al-based logic (Pickman Fig. 6. Para [0036]. Para [0079]. Para [0083]. Para [0112]: In an embodiment, the cyber threat module of the endpoint agent extension performs machine learning analysis, with one or more machine learning models on all inbound and outbound mail flow for an organization to develop an awareness of the pattern-of-life for each individual user, the organization as a whole, and clustered groups of users the machine learning identifies as being closely associated. In an embodiment, i) the endpoint agent extension can host the AI models, ii) the cyber security appliance 660 can host the AI models, and/or iii) a portion of both the endpoint agent extension and the cyber security appliance 660 may each share some portion of the AI models to perform the machine learning analysis. The cyber security appliance 660 may include components such as one or more machine learning models including a first Artificial Intelligence model trained on characteristics of an email itself and its related data, a second Artificial Intelligence model trained on potential cyber threats. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Regarding claim 11, Pickman in view of Pettigrew teaches the non-transitory storage medium of claim 10, wherein the specific content uncovered from the analysis of the email message includes a message type of the email message identifying the email message as an outbound email message or a lateral email message or a size of the email message and the results obtain from the comparison are based on operations conducted by artificial intelligence (AI) based logic (Pickman Para [0026]: the attachment analyzer of the endpoint agent extension 100 scans any files i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file, including a type of file, a size of the file, etc., via investigation of the file structure, a meta data analysis tool, and machine learning analysis as well as perform other analysis to gather information about a given file itself and the content in the file.). Regarding claim 14, Pickman teaches a computerized method for conducting data loss prevention operations on email messages to protect against exfiltration of sensitive information from an enterprise, comprising: analyzing content associated with an email message by an email protection module for potential data loss characteristics based on a comparison of content and context of the email message to normal or expected email message exchanges within the enterprise (Para [0026]. Fig. 6. Para [0079]. Para [0083]. Para [0112]. FIG. 1. claim 4: the attachment analyzer of the endpoint agent extension 100 scans any files i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file, including a type of file, a size of the file, etc., via investigation of the file structure. Where the contextual information about attached files to the email under analysis to determine whether the outbound email under analysis and its attachments and/or links either i) are unusual or ii) are not unusual in context of a current user's behavior under analysis, to prevent incidents of data loss as well as wrongly addressed recipients. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Pickman does not explicitly disclose detecting an operational failure of the email module or intake disruption of email messages into the email module; and redirecting the email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages while the operational failure or intake disruption of the email module exists. Pettigrew teaches detecting an operational failure of the email module or intake disruption of email messages into the email module (Claim 1. Para [0022]. Para [0024]: a deferral monitor that detects failure of the client email system; and a mailbox creation process that, in response to a failure. in response to email system failure, the message is passed to storage facility 400. The storage facility 400 stores mail in user mailboxes that mimic the affected client domains. Once the client email system is restored, a transfer process is activated that passes the stored email messages from the storage facility 400 to the respective mailboxes on the client system. once the client email system is repaired, a correct and complete image of the client's email system can be restored.); and redirecting the email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages while the operational failure or intake disruption of the email module exists (Claim 1. Para [0022]. Para [0024]: a deferral monitor that detects failure of the client email system; and a mailbox creation process that, in response to a failure. in response to email system failure, the message is passed to storage facility 400. The storage facility 400 stores mail in user mailboxes that mimic the affected client domains. Once the client email system is restored, a transfer process is activated that passes the stored email messages from the storage facility 400 to the respective mailboxes on the client system. once the client email system is repaired, a correct and complete image of the client's email system can be restored.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman of analyzing emails for potential data loss with the teachings of Pettigrew to include detecting an operational failure of the email module or intake disruption of email messages into the email module; and redirecting the email messages to cloud infrastructure pertaining to the enterprise for temporary storage and subsequent release of the redirected email messages while the operational failure or intake disruption of the email module exists in order to safely hold the messages until the system repaired. Regarding claim 15, Pickman in view of Pettigrew teaches the computerized method of claim 14, wherein the analyzing of the content associated with the email message includes at least (i) analyzing specific content uncovered from an analysis of the email message providing context surrounding the email message (Pickman Para [0011]. Para [0048]. FIG. 5: an email module and/or cyber threat module factoring in many other example factors in order to compare the email, based on multiple aspects of the email, in order to determine a threat posed. endpoint agent extension 100 plugs-in to the email client application to allow scanning email attachments for content, with similar tools that detect known bad malware, but also makes judgments on whether an attached file or linked file, is otherwise normally benign, but now is malicious in context.) and (ii) analyzing results obtained from the comparison of the content and context of the email message to normal or expected email message exchanges within the enterprise (Pickman Claim 1: a cyber threat module determines the outbound email including its attached files and/or linked files to be both malicious and anomalous behavior as compared to a user's modeled email behavior.). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of Sundaram (US 20220394008 A1). Regarding claim 6, Pickman teaches the cyber security appliance of claim 4, wherein features considered in analyzing the content associated with the email message differ based on a type of email message being either an outbound email message or a lateral email message (Para [0070]- [0072]). Pickman does not explicitly disclose different sets of weightings used for analyzing the content associated with the email message differs based on the type of email message and a type of data loss characteristics detected being either an accidental data loss or a malicious data loss. Sundaram teaches different sets of weightings used for analyzing the content associated with the email message differs based on the type of email message and a type of data loss characteristics detected being either an accidental data loss or a malicious data loss (Para [0035]-[0037]. Para [0095]-[0096]: By implementing the methods described in steps 201-248, both misdirected email identification methods and email data loss prevention methods may be integrated. For example, if an email is identified as misdirected, but does not violate data loss prevention rules, the email may nevertheless be sent (e.g., to minimize notifications to a user). In contrast, if an email is identified as properly directed, but does violate data loss prevention rules, the message may be blocked (e.g., to prevent unauthorized transfer of confidential or other sensitive information). If a message is flagged using both the misdirected email identification and data loss prevention methods, it may similarly be blocked. Although shown as being performed in sequence, this is for illustrative purposes only, and in some instances, the misdirected email identification and data loss prevention methods/techniques may be performed in parallel. Furthermore, in some instances, outputs of each method/technique may be sent to a separate system for a final determination of how to proceed and/or to notify the message sender. In doing so, user experience may be balanced with message security and data loss, so as to prevent the sending of misdirected messages only when necessary. In some instances, the results of these methods for different use cases may be summarized in table 905, which is shown in FIG. 9.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman with the teachings of Sundaram to include different sets of weightings used for analyzing the content associated with the email message differs based on the type of email message and a type of data loss characteristics detected being either an accidental data loss or a malicious data loss in order to prevent the misdirected emails with user experience concerns. Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of TALATI (US 20130110748 A1). Regarding claim 7, Pickman teaches the cyber security appliance of claim 1, (perform an action) using artificial intelligence based (Al-based) logic (Fig. 6. Para [0036]. Para [0079]. Para [0083]. Para [0112]: In an embodiment, the cyber threat module of the endpoint agent extension performs machine learning analysis, with one or more machine learning models on all inbound and outbound mail flow for an organization to develop an awareness of the pattern-of-life for each individual user, the organization as a whole, and clustered groups of users the machine learning identifies as being closely associated. In an embodiment, i) the endpoint agent extension can host the AI models, ii) the cyber security appliance 660 can host the AI models, and/or iii) a portion of both the endpoint agent extension and the cyber security appliance 660 may each share some portion of the AI models to perform the machine learning analysis. The cyber security appliance 660 may include components such as one or more machine learning models including a first Artificial Intelligence model trained on characteristics of an email itself and its related data, a second Artificial Intelligence model trained on potential cyber threats. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Pickman does not disclose wherein the email protection module further comprises security mailbox assistant logic configured to generate, one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action. TALATI does teach wherein the email protection module further comprises security mailbox assistant logic configured to generate, one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action (Claim 1. Para [0038]: The policy page may be viewed in an Internet browser. A sample policy page is shown in FIG. 2. The policy page may identify the reason the captured phrase is problematic, and/or suggest alternate language or actions for the user to take in order to reduce or eliminate the potential violation of policy or law.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman with the teachings of TALATI to include wherein the email protection module further comprises security mailbox assistant logic configured to generate, one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action in order to translate the security protocols into understandable feedback. Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of in view of Pettigrew (US 20060112166 A1) in view of Sundaram (US 20220394008 A1) Regarding claim 12, Pickman in view of Pettigrew teaches the non-transitory storage medium of claim 10, wherein features considered in analyzing the content associated with the email message differ based on a type of email message being either an outbound email message or a lateral email message (Pickman Para [0048]: this endpoint agent extension 100 uses the email classifiers that identify file attachment or linking rarity/anomalousness in the email and network domains to establish whether the file going with an outbound email is actually bad in context. For example, a file of an excel spreadsheet is not malicious in itself to an antivirus product if it contains no literal malware. However, an outbound email with this file if sent to an email address identified by the endpoint agent extension as the user's personal email address, or an email address of a competitor's domain, or a known malicious domain, now that outbound e-mail with this file is determined to be a malicious data exfiltration in context.). Pickman in view of Pettigrew does not explicitly disclose wherein the email protection module is configured to utilize different sets of weightings for analyzing the content associated with the email message differs based on a type of data loss characteristics detected being either an accidental data loss or a malicious data loss. Sundaram teaches wherein the email protection module is configured to utilize different sets of weightings for analyzing the content associated with the email message differs based on a type of data loss characteristics detected being either an accidental data loss or a malicious data loss (Para [0035]-[0037]. Para [0095]-[0096]: By implementing the methods described in steps 201-248, both misdirected email identification methods and email data loss prevention methods may be integrated. For example, if an email is identified as misdirected, but does not violate data loss prevention rules, the email may nevertheless be sent (e.g., to minimize notifications to a user). In contrast, if an email is identified as properly directed, but does violate data loss prevention rules, the message may be blocked (e.g., to prevent unauthorized transfer of confidential or other sensitive information). If a message is flagged using both the misdirected email identification and data loss prevention methods, it may similarly be blocked. Although shown as being performed in sequence, this is for illustrative purposes only, and in some instances, the misdirected email identification and data loss prevention methods/techniques may be performed in parallel. Furthermore, in some instances, outputs of each method/technique may be sent to a separate system for a final determination of how to proceed and/or to notify the message sender. In doing so, user experience may be balanced with message security and data loss, so as to prevent the sending of misdirected messages only when necessary. In some instances, the results of these methods for different use cases may be summarized in table 905, which is shown in FIG. 9.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman in view of Pettigrew with the teachings of Sundaram to include different sets of weightings used for analyzing the content associated with the email message differs based on the type of email message and a type of data loss characteristics detected being either an accidental data loss or a malicious data loss in order to prevent the misdirected emails with user experience concerns. Claims 13, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of Pettigrew (US 20060112166 A1) in view of TALATI (US 20130110748 A1). Regarding claim 13, Pickman in view of Pettigrew teaches the non-transitory storage medium of claim 8, wherein the email protection module further comprises security mailbox assistant logic configured to generate, using artificial intelligence based (Al-based) logic (Fig. 6. Para [0079]. Para [0083]. Para [0112]: The cyber security appliance 660 may include components such as one or more machine learning models including a first Artificial Intelligence model trained on characteristics of an email itself and its related data, a second Artificial Intelligence model trained on potential cyber threats. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Pickman in view of Pettigrew does not explicitly disclose wherein the email protection module further comprises security mailbox assistant logic configured to generate one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action. TALATI does teach wherein the email protection module further comprises security mailbox assistant logic configured to generate one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action (Claim 1. Para [0038]: The policy page may be viewed in an Internet browser. A sample policy page is shown in FIG. 2. The policy page may identify the reason the captured phrase is problematic, and/or suggest alternate language or actions for the user to take in order to reduce or eliminate the potential violation of policy or law.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman in view of Pettigrew with the teachings of TALATI to include wherein the email protection module further comprises security mailbox assistant logic configured to generate one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action in order to translate the security protocols into understandable feedback. Regarding claim 20, Pickman in view of Pettigrew teaches the computerized method of claim 14 further comprising: (perform an action) using artificial intelligence based (Al-based) logic (Fig. 6. Para [0079]. Para [0083]. Para [0112]: The cyber security appliance 660 may include components such as one or more machine learning models including a first Artificial Intelligence model trained on characteristics of an email itself and its related data, a second Artificial Intelligence model trained on potential cyber threats. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Pickman in view of Pettigrew does not explicitly disclose generating one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action. TALATI does teach generating one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action (Claim 1. Para [0038]: The policy page may be viewed in an Internet browser. A sample policy page is shown in FIG. 2. The policy page may identify the reason the captured phrase is problematic, and/or suggest alternate language or actions for the user to take in order to reduce or eliminate the potential violation of policy or law.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman in view of Pettigrew with the teachings of TALATI to include wherein the email protection module further comprises security mailbox assistant logic configured to generate, one or more feedback messages to an end user reporting the email message as an email security threat that identifies whether the email message constituted a data loss security threat and a brief explanation of notable factors as to why the email message warranted a data loss prevention action in order to translate the security protocols into understandable feedback. Claims 16 are rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of Pettigrew (US 20060112166 A1) in view of Neystadt (US 20250133111 A1). Regarding claim 16, Pickman in view of Pettigrew teaches the computerized method of claim 15, the analyzing of the results is conducted by an Artificial Intelligence (AI) model trained to detect normal and expected email message exchanges within the enterprise (Fig. 6. Para [0079]. Para [0083]. Para [0112]: The cyber security appliance 660 may include components such as one or more machine learning models including a first Artificial Intelligence model trained on characteristics of an email itself and its related data, a second Artificial Intelligence model trained on potential cyber threats. when the models leverage at least two different approaches to detecting anomalies: e.g. comparing each system's behavior to its own history, and comparing that system to its peers' history and/or e.g. comparing an email to both characteristics of emails and the activities and behavior of its email users, this multiple source comparison allows the models to avoid learning existing bad behavior as ‘normal’ because compromised devices/users/components/emails will exhibit behavior different to their immediate peers.). Pickman in view of Pettigrew does not explicitly disclose wherein the analyzing of the specific content is conducted by a first analysis source corresponding to a large language module (LLM). Neystadt teaches wherein the analyzing of the specific content is conducted by a first analysis source corresponding to a large language module (LLM) (claim 1) Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman in view of Pettigrew with the teachings of Neystadt to include wherein the analyzing of the specific content is conducted by a first analysis source corresponding to a large language module (LLM) in order to reduce manual work, and simplify data extraction from end to end. Claims 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of Pettigrew (US 20060112166 A1) in view of Neystadt (US 20250133111 A1) in view of Brown (US 20110225253 A1). Regarding claim 17, Pickman in view of Pettigrew in view of Neystadt teaches the computerized method of claim 16. Pickman in view of Pettigrew in view of Neystadt does not explicitly disclose wherein the specific content uncovered from the analysis of the email message includes determining whether the email message is an outbound email message or a lateral email message by at least determining differences in email domains between a sender of the email message and a targeted recipient of the email message. Brown teaches wherein the specific content uncovered from the analysis of the email message includes determining whether the email message is an outbound email message or a lateral email message by at least determining differences in email domains between a sender of the email message and a targeted recipient of the email message (Para [0105]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman in view of Pettigrew in view Neystadt with the teachings of Brown to include wherein the specific content uncovered from the analysis of the email message includes determining whether the email message is an outbound email message or a lateral email message by at least determining differences in email domains between a sender of the email message and a targeted recipient of the email message in order to block employees from sharing sensitive data externally. Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Pickman (US 20200396190 A1) in view of in view of Pettigrew (US 20060112166 A1) in view of Sundaram (US 20220394008 A1) Regarding claim 19, Pickman in view of Pettigrew teaches the computerized method of claim 17. Pickman in view of Pettigrew does not explicitly disclose wherein the email protection module is configured to utilize different sets of weightings for analyzing the content associated with the email message differs based on a type of data loss characteristics detected being either an accidental data loss or a malicious data loss. Sundaram teaches wherein the email protection module is configured to utilize different sets of weightings for analyzing the content associated with the email message differs based on a type of data loss characteristics detected being either an accidental data loss or a malicious data loss (Para [0035]-[0037]. Para [0095]-[0096]: By implementing the methods described in steps 201-248, both misdirected email identification methods and email data loss prevention methods may be integrated. For example, if an email is identified as misdirected, but does not violate data loss prevention rules, the email may nevertheless be sent (e.g., to minimize notifications to a user). In contrast, if an email is identified as properly directed, but does violate data loss prevention rules, the message may be blocked (e.g., to prevent unauthorized transfer of confidential or other sensitive information). If a message is flagged using both the misdirected email identification and data loss prevention methods, it may similarly be blocked. Although shown as being performed in sequence, this is for illustrative purposes only, and in some instances, the misdirected email identification and data loss prevention methods/techniques may be performed in parallel. Furthermore, in some instances, outputs of each method/technique may be sent to a separate system for a final determination of how to proceed and/or to notify the message sender. In doing so, user experience may be balanced with message security and data loss, so as to prevent the sending of misdirected messages only when necessary. In some instances, the results of these methods for different use cases may be summarized in table 905, which is shown in FIG. 9.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pickman in view of Pettigrew with the teachings of Sundaram to include different sets of weightings used for analyzing the content associated with the email message differs based on the type of email message and a type of data loss characteristics detected being either an accidental data loss or a malicious data loss in order to prevent the misdirected emails with user experience concerns. Allowable Subject Matter Claim 18 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claims and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: The closet prior arts made of record art: Pickman (US 20200396190 A1) teaches an endpoint agent extension of a cyber defense system for email that includes modules and machine learning models. An integration module integrates with an email client application to detect email cyber threats in emails in the email client application as well as regulate emails. An action module interfaces with the email client application to direct autonomous actions against an outbound email and/or its files when a cyber threat module determines the email and/or its files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, and (c) any combination of these. The autonomous actions can include actions of logging a user off the email client application, preventing the sending of the email, stripping the attached files and/or disabling the link to the files from the email, and sending a notification to cyber security personnel regarding the email. Zhang (US 11455407 B2) teaches Systems and methods include obtaining an expression for a Data Loss Prevention (DLP) engine, wherein the expression includes one or more DLP dictionaries that evaluate to a score for comparison with a corresponding threshold and one or more logical operators used to combine an evaluation of the one or more DLP dictionaries; storing the expression in a database associated with a DLP service; monitoring traffic from one or more users; evaluating the traffic using the DLP engine and the expression; and determining a DLP trigger based on a result of the expression that is a logical TRUE. Regarding dependent claim 18, the Examiner found neither prior art cited in its entirety, nor based on the prior art, found any motivation to combine any of said prior art that teaches “wherein the email protection module is configured to utilize a first set of weightings for features associated with the email message to analyze the email message operating as an outbound email message for potential data loss characteristics and utilize a second set of weightings, different from the first set of weightings, for at least some of the features associated with the email message to analyze the email message operating as a lateral email message for potential data loss characteristics.” Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUDY BAZNA whose telephone number is (703)756-1258. The examiner can normally be reached Monday - Friday 08:30 AM-05:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JUDY BAZNA/ Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/ Supervisory Patent Examiner, Art Unit 2495
Read full office action

Prosecution Timeline

Feb 20, 2025
Application Filed
Jul 01, 2026
Non-Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12641098
METHOD AND APPARATUS FOR DETECTING ANOMALIES OF AN INFRASTRUCTURE IN A NETWORK
4y 2m to grant Granted May 26, 2026
Patent 12585784
SYSTEM FOR COMPONENT-LEVEL THREAT ASSESSMENT IN A COMPUTING ENVIRONMENT
2y 11m to grant Granted Mar 24, 2026
Patent 12579261
MANAGING INFERENCE MODELS IN VIEW OF RECONSTRUCTABILITY OF SENSITIVE INFORMATION
1y 9m to grant Granted Mar 17, 2026
Patent 12572643
CIRCUIT AND METHOD FOR DETECTING A FAULT INJECTION ATTACK IN AN INTEGRATED CIRCUIT
3y 6m to grant Granted Mar 10, 2026
Patent 12549335
COORDINATING DATA ACCESS AMONG MULTIPLE SERVICES
3y 4m to grant Granted Feb 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
67%
Grant Probability
92%
With Interview (+25.6%)
3y 1m (~1y 8m remaining)
Median Time to Grant
Low
PTA Risk
Based on 27 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month